CVE-2026-5234 (GCVE-0-2026-5234)
Vulnerability from cvelistv5 – Published: 2026-04-17 03:36 – Updated: 2026-04-17 18:38
VLAI?
Title
LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID
Summary
The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice.
Severity ?
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| latepoint | LatePoint – Calendar Booking Plugin for Appointments and Events |
Affected:
0 , ≤ 5.3.2
(semver)
|
Credits
darkestmode
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5234",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T18:38:28.386411Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T18:38:40.183Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
"vendor": "latepoint",
"versions": [
{
"lessThanOrEqual": "5.3.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "darkestmode"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T03:36:44.618Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afec4c8c-a18d-4907-8879-2412f8a1abed?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L31"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L31"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L33"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L33"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L50"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L50"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L20"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L20"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3505127/latepoint/trunk/lib/controllers/stripe_connect_controller.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T14:20:32.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-16T15:19:09.000Z",
"value": "Disclosed"
}
],
"title": "LatePoint \u003c= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5234",
"datePublished": "2026-04-17T03:36:44.618Z",
"dateReserved": "2026-03-31T14:05:18.117Z",
"dateUpdated": "2026-04-17T18:38:40.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-5234",
"date": "2026-04-17",
"epss": "0.0007",
"percentile": "0.21327"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-5234\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-04-17T05:16:18.830\",\"lastModified\":\"2026-04-17T05:16:18.830\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L20\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L31\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L33\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L50\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L20\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L31\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L33\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L50\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset/3505127/latepoint/trunk/lib/controllers/stripe_connect_controller.php\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/afec4c8c-a18d-4907-8879-2412f8a1abed?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-5234\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-17T18:38:28.386411Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-17T18:38:34.601Z\"}}], \"cna\": {\"title\": \"LatePoint \u003c= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"darkestmode\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"latepoint\", \"product\": \"LatePoint \\u2013 Calendar Booking Plugin for Appointments and Events\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.3.2\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-03-31T14:20:32.000Z\", \"value\": \"Vendor Notified\"}, {\"lang\": \"en\", \"time\": \"2026-04-16T15:19:09.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/afec4c8c-a18d-4907-8879-2412f8a1abed?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L31\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L31\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L33\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L33\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L50\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L50\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L20\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L20\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3505127/latepoint/trunk/lib/controllers/stripe_connect_controller.php\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639 Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-04-17T03:36:44.618Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-5234\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-17T18:38:40.183Z\", \"dateReserved\": \"2026-03-31T14:05:18.117Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-04-17T03:36:44.618Z\", \"assignerShortName\": \"Wordfence\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…